libavcodec/flac_parser: Validate subframe zero bit and type

Reduces the risk of finding false frames that happens to have valid values and CRC. Fixes ticket #9185 ffmpeg flac decoder incorrectly finds junk frame https://trac.ffmpeg.org/ticket/9185

libavcodec/flac_parser: Validate subframe zero bit and type
Reduces the risk of finding false frames that happens to have valid values and CRC. Fixes ticket #9185 ffmpeg flac decoder incorrectly finds junk frame https://trac.ffmpeg.org/ticket/9185
49597300 · Mattias Wadman · Paul B Mahol · 374d6469 · 49597300
Commit 49597300 authored Oct 13, 2021 by Mattias Wadman Committed by Paul B Mahol Oct 18, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 2 deletions

flac_parser.c libavcodec/flac_parser.c +28 -2

No files found.
--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@@ -96,8 +96,34 @@ static int frame_header_is_valid(AVCodecContext *avctx, const uint8_t *buf,
                                 FLACFrameInfo *fi)
 {
    GetBitContext gb;
-    init_get_bits(&gb, buf, MAX_FRAME_HEADER_SIZE * 8);
-    return !ff_flac_decode_frame_header(avctx, &gb, fi, 127);
+    uint8_t subframe_type;
+
+    // header plus one byte from first subframe
+    init_get_bits(&gb, buf, MAX_FRAME_HEADER_SIZE * 8 + 8);
+    if (ff_flac_decode_frame_header(avctx, &gb, fi, 127)) {
+        return 0;
+    }
+    // subframe zero bit
+    if (get_bits1(&gb) != 0) {
+        return 0;
+    }
+    // subframe type
+    // 000000 : SUBFRAME_CONSTANT
+    // 000001 : SUBFRAME_VERBATIM
+    // 00001x : reserved
+    // 0001xx : reserved
+    // 001xxx : if(xxx <= 4) SUBFRAME_FIXED, xxx=order ; else reserved
+    // 01xxxx : reserved
+    // 1xxxxx : SUBFRAME_LPC, xxxxx=order-1
+    subframe_type = get_bits(&gb, 6);
+    if (!(subframe_type == 0 ||
+          subframe_type == 1 ||
+          ((subframe_type >= 8) && (subframe_type <= 12)) ||
+          (subframe_type >= 32))) {
+        return 0;
+    }
+
+    return 1;
 }

 /**